Tickets :: [#12926] invalid token when printing from frameset

6.0.0-alpha12

6/9/25

Summary	invalid token when printing from frameset
Queue	Horde Groupware Webmail Edition
Queue Version	5.1.3
Type	Bug
State	Not A Bug
Priority	1. Low
Owners
Requester	dav (at) geoazur (dot) unice (dot) fr
Created	01/20/2014 (4158 days ago)
Due
Updated	01/24/2014 (4154 days ago)
Assigned	01/22/2014 (4156 days ago)
Resolved	01/24/2014 (4154 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

01/24/2014 11:43:10 PM	Michael Slusarz	Comment #6 State ⇒ Not A Bug	Reply to this comment
The & is nothing more than an encoded version of an ampersand. This is something that is handled by Horde_Url internally. If someone is adding a frameset layer to Horde, it is their responsibility to correctly encode URLs.

01/22/2014 08:43:57 PM	dav (at) geoazur (dot) unice (dot) fr	Comment #5	Reply to this comment
Yes the frameset is not from Horde, but I wondered if it is Horde that encode "&" in its own url, only when used inside a frameset. I thought that this little glitch could be detected and managed inside Horde (maybe we are not alone in using frames). But if you say that this bug is not coming from Horde, ok the problem is really the frameset so never mind. Thanks for your answers.

01/22/2014 07:53:45 PM	Michael Slusarz	Comment #4	Reply to this comment
frameset is "above" Horde. Technically : http://webmail.domain1/index.html is just <frameset><frame src=https://server.domain2/horde/></frameset> I think you can reproduce it easily. Once again, this is not anything provided by Horde. We removed all framesets long ago (Horde 4.0 to be exact). We can't provide bug support/fixes for something that doesn't exist in our code.

01/22/2014 11:41:24 AM	dav (at) geoazur (dot) unice (dot) fr	Comment #3 New Attachment: frameset.patch	Reply to this comment
frameset is "above" Horde. Technically : http://webmail.domain1/index.html is just <frameset><frame src=https://server.domain2/horde/></frameset> I think you can reproduce it easily. Then I don't understand why "&view_token=..." (not the other parameters) is changed to "&view_token=..." in this case. Despite that, all is working well so maybe it's a small glitch. For now I solve it by adding a check of "amp;view_token" to checkToken function in imp/lib/Contents/View.php but I guess it's not a clean solution.

01/22/2014 05:47:15 AM	Michael Slusarz	Comment #2 Priority ⇒ 1. Low State ⇒ Feedback	Reply to this comment
We don't use framesets in Horde (?) Not sure what you are referring to.

01/20/2014 05:08:06 PM	dav (at) geoazur (dot) unice (dot) fr	Comment #1 Priority ⇒ 2. Medium Type ⇒ Bug Summary ⇒ invalid token when printing from frameset Queue ⇒ Horde Groupware Webmail Edition Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
We use Horde inside a frameset (Gandi domain with "masked" forwarding mode) : login is Ok after setting "use_only_cookies" to false, but view, print, etc. actions for mail/imp, open a new window with "fatal error - invalid token". However when using Horde with direct url, theses actions open correct windows. Actually, when logging from frameset http://webmail.domain1/ then trying to print a mail, url of the new window is https://server.domain2/horde/imp/view.php?Horde=hhh&amp%3Bview_token=ttt-ttt&actionID=print_attach&buid=bbb&id=1&mailbox=mmm&token=ttt-ttt&uniq=uuu whereas when logging from http://server/horde/ then printing, url is https://server.domain2/horde/imp/view.php?view_token=ttt-ttt&actionID=print_attach&buid=bbb&id=1&mailbox=mmm&token=ttt-ttt&uniq=uuu If I edit url with "invalid token" and just replace "&amp%3Bview_token" with "&view_token" then reload, it works : the window shows the expected result. Any idea from where "&" was encoded to "&" when using frame ?